HIPAA Security Protecting Electronic Health Information

The University has recently undertaken an initiative to ensure that all Schools and Centers that handle health information will be in compliance with the Security Rule of the United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA) by April 21, 2005. Closely related to the HIPAA Privacy Rule (2003) governing the use and disclosure of individually identifiable health information, the Security Rule is largely, but not exclusively, a technology-oriented rule, intended to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI).

UPHS, School of Medicine, School of Dental Medicine, Student Health, H.R.’s Employee Health Plan and the School of Nursing’s LIFE program (Living Independently for Elders)—the areas covered by the Privacy Rule—are the primary areas affected by the Security Rule. In addition, many administrative offices across the University must be considered in the compliance initiative based on their access and use of protected health information.

Broad efforts are now underway to identify where electronic health information is stored and to compare our current practices with those soon to be legally mandated. Teams working in affected Schools and Centers are engaged in this challenging analysis and in promulgating stronger policies and procedures to properly manage risks. If you work, teach, or study in any of the affected Schools and Centers you’ll hear more over the coming months regarding training and any changes made in administrative policy and physical or technical safeguards.

HIPAA compliance is one more evolutionary step in Penn’s ongoing work to secure its computers, networks, and sensitive data. The criticality of Penn’s reputation requires us to mitigate potential risks of inappropriate visibility of, or access to, sensitive health information. Directly related to our reputation is the trust of our patients and research subjects. With information as deeply personal as health information, maintaining the trust placed in us is vital to the long-term success of the University. We expect our HIPAA Security compliance efforts to result in some best practice models that will be useful in further protecting other sensitive information such as Social Security numbers, grades, and financial information.

Better-coordinated business continuity measures are another important benefit derived from the HIPAA standards. The Security Rule requires electronic protected health information to be backed up routinely and available to appropriate staff in emergencies. Universities and hospitals affected by hurricanes this year in the southeastern U.S. can testify to the importance of business continuity—it is often in times of emergency that reliable processes for information access are most important.

If you have questions about how HIPAA Security may affect you, contact the HIPAA Security Contact in your school or center (see below). To get a copy of the HIPAA Security Rule, go to www.cms.hhs.gov/hipaa/. For information about HIPAA compliance activities, see the following: